Understanding vulnerability management
Nokia recognizes that vulnerabilities in Nokia products and in third party software integrated into Nokia products can have a significant impact on customer networks. Integrated into the Design for Security (DFSEC) process, Nokia has made vulnerability management a well-disciplined practice to ensure products are secure during their entire lifespan.
Nokia’s principles of vulnerability management include gathering vulnerability information from various sources, including feeds from the Internet, and OEM partners and customers. The practice requires that all vulnerabilities are analyzed and correction plans created for all valid vulnerabilities. Some vulnerability notifications will be false positives, for example in a case which a vulnerable operating system component is not included in a product. Nokia’s vulnerability management is continuous and concurrent to the product life cycle process and is independent of the stage within the lifecycle that a product is in.
Nokia aims to correct vulnerabilities in all relevant products
The number of identified vulnerabilities has increased in recent years. As part of our commitment to protect critical communication networks, Nokia aims to promptly address vulnerabilities in all relevant products. Nokia continually strives to increase its performance in analyzing and remediating software vulnerabilities.
Nokia understands customer needs to protect their mission critical networks
An increasing number of standard protocols and off-the-shelf, third party components, operating systems and software are being used in Nokia products. As the number of interconnections between different networks increases, products must be designed to operate in increasingly open, hostile and evolving environments. Products and networks need to be designed with layered security in mind and trust in network perimeter defenses cannot be the only layer of defense. A vulnerability in a third party operating system can affect all Nokia products using that operating system. If any of those products is connected to the Internet, the vulnerability could be used to propagate further into the network.
Nokia recognizes that vulnerabilities can have serious consequences for customer networks. Customers require that Nokia ensures the elimination of security vulnerabilities from its products and solutions. This customer mandate is a top priority and is addressed by Nokia’s vulnerability management process.
Nokia communicates alerts and corrections to its customers
Nokia seeks to balance the need for transparent communication about vulnerabilities with the risk of hostile actors using such vulnerability notifications to facilitate attacks against networks. We aim to document all the security vulnerabilities we’re able to resolve, and to share this with affected customers based on Nokia’s customer communication practices. This is to ensure high-quality and professionally documented deliveries towards customers. Typically, the documentation would include the name of the vulnerability, an indication by Nokia of the severity of the threat, CVE ID and – where applicable – the third party software component version.
See further details of Nokia’s responsible disclosure policy.
Nokia is represented on the panel of experts that evaluate input from research for the GSMA Coordinated Vulnerability Disclosure(CVD) program.
Handling vulnerability management centrally
Nokia has a centralized tool to handle vulnerability management. This contains up-to-date information about security vulnerabilities detected in Nokia products and in third party software. The tool obtains vulnerability inputs from the latest available security patches information. Every Nokia product registers the third party components used in any particular product release in the tool, through which only the vulnerabilities relevant to a product release will be reported.
The tool enables the easy tracking and reporting of vulnerabilities in Nokia products by integrating information from various sources.
PSIRT is the central coordination point for vulnerability management
The Nokia PSIRT (Product Security Incident Response Team) provides centralized coordination of critical vulnerabilities that have wide ranging impacts on Nokia products or have high public profiles. PSIRT acts as "Single Contact Point" in coordinating the escalation of Critical Product Security vulnerabilities inside Nokia. The PSIRT handles responsible disclosure process for vulnerabilities discovered in Nokia products by external parties, for example security researchers or industry organizations who are not directly affiliated with Nokia or our customers.
In any instance of a vulnerability being found in Nokia products, the PSIRT team request to be alerted via email as early as possible to prevent any potential damage at security-alert [at] nokia.com.